Evade EDR's the simple way, by not touching any of the API's they hook.
-
Updated
Apr 29, 2024 - PHP
Evade EDR's the simple way, by not touching any of the API's they hook.
Stack Spoofing PoC
Event Tracing for Windows EDR bypass in Rust
Repository to publish your evasion techniques and contribute to the project
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
Custom binary file packer/encoder with integrated decoder stub. A pentest-tool for modern EDR evasion.
Red Teaming Tactics and Techniques
Code snippet to create a process using the "PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON" flag
Whenever PowerShell is launched, Notepad will also open. You can customize the script for educational purposes, but I emphasize that I do not take any responsibility for its use or any actions taken.
An (WIP) EDR Evasion tool for x64 Windows & Linux binaries that utilizes Nanomites, written in Rust.
APC Queue Injection EDR Evasion in Rust
Mostly malicious or abusable powershell I've written
Rust malware EDR evasion via direct syscalls, fully implemented as an example in Rust
Defense Evasion Techniques Repository. This repository contains a collection of techniques designed to bypass Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) systems.
PoC arbitrary WPM without a process handle
Overwrite ntdll.dll's ".text" section to bypass API hooking. Getting the clean dll from disk, Knowndlls folder, a debugged process or a URL
Indirect Syscall invocation via thread hijacking
This POC provides the ability to execute x86 shellcode in the form of a .bin file based on x86 inline assembly and execution over fibers
Transparently call NTAPI via Halo's Gate with indirect syscalls.
Add a description, image, and links to the edr-evasion topic page so that developers can more easily learn about it.
To associate your repository with the edr-evasion topic, visit your repo's landing page and select "manage topics."